allow dots in access paths

[pve-access-control.git] / PVE / API2 / AccessControl.pm

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 141bc44831a61c5f55a3a3e6f3ff6c0965d78cb1..5f859197446655436e58501ca282683ddc8c2534 100644 (file)
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -151,12 +151,22 @@ my $compute_api_permission = sub {
        dc => {},
     };
 
-    foreach my $vmid (keys %$idlist, '__phantom__') {
-       my $perm = $rpcenv->permissions($authuser, "/vms/$vmid");
+    my $extract_vm_caps = sub {
+       my ($path) = @_;
+       
+       my $perm = $rpcenv->permissions($authuser, $path);
        foreach my $priv (keys %$perm) {
-           next if !($priv eq 'Permissions.Modify' ||$priv =~ m/^VM\./);
+           next if !($priv eq 'Permissions.Modify' || $priv =~ m/^VM\./);
            $res->{vms}->{$priv} = 1;   
        }
+    };
+
+    foreach my $pool (keys %{$usercfg->{pools}}) {
+       &$extract_vm_caps("/pool/$pool");
+    }
+
+    foreach my $vmid (keys %$idlist, '__phantom__') {
+       &$extract_vm_caps("/vms/$vmid");
     }
 
     foreach my $storeid (@sids, '__phantom__') {
@@ -254,7 +264,6 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
 
        my $res;
-
        eval {
            # test if user exists and is enabled
            $rpcenv->check_user_enabled($username);
@@ -269,7 +278,8 @@ __PACKAGE__->register_method ({
        if (my $err = $@) {
            my $clientip = $rpcenv->get_client_ip() || '';
            syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
-           die $err;
+           # do not return any info to prevent user enumeration attacks
+           die PVE::Exception->new("authentication failure\n", code => 401);
        }
 
        $res->{cap} = &$compute_api_permission($rpcenv, $username);